for security reasons is necessary remove all mi sensitive comments like urls, so i wonder if is necessary to remove it from my strings.xml file, because I researched and I found when application is package into *.apk the comments inside of an layout.xml will be suppressed, but i can't figured out if it apply too for the comments in the path res/values/*.xml
Do you have any idea?
Thanks for your support.
No, you don't have to remove the comments from any xml resources. They are removed automatically when you compile the apk file.
Related
I am trying to change the language of my flutter application that uses the firebase_ui_auth library
I added the resConfigs parameter 'es' in the build.gradle file and created the values-en folder but it doesn't work.
SC:
First, please don't put the full git repository into a question - it contains sensitive information and keys please avoid this ... please try to put a problem code snippet.
Stackoverflow is not responsible for your security - is someone debugging your code with your all information?
I have been doing lot of research on how to prevent people from accessing the manifest and layout files.
i know proguard is used for obfuscating code, but then it works only on Java code not on the res folder.
I have been through some answers like download content at run time instead of keeping them in assets and all that. But for now my concern is not to protect asset files. In my case it's manifest and the res folder I need to take care of. I have many types of keys stored in there like analytics xml file app_tracker.xml for example.
This isn't only about the secret keys I have in xml files, but also the logic of layout designing that is at risk.
These are the threads I found while I was doing research, but nothing was of any help to me.
1) How to avoid reverse engineering of an APK file?
2) How to protect a java application from reverse-engineering or code stealing?
I know reverse engineering cannot be avoided, but is there any way I can protect my manifest from being readable from hackers?
You could take a look at DexGuard, which is the commercial variant of ProGuard. It allows you to also encrypt the layout files and obfuscate the content of the manifest and other resource files (together with many other things).
If a phone can parse the manifest in order to install the app, then a user can parse the manifest too. It's as simple as that.
On a side note, obfuscation doesn't prevent people from seeing what's in your app - it just gives you a false sense of security. The security model of your app should assume that anything contained in the apk is public knowledge.
I'm making an Android game and I would like some of the data to be specified via XML, specifically the strings.xml file. Would changes to the data found in the strings.xml file require that I compile the project again before the made changes take effect?
Answer to your question is YES. This is due to you are referring those string in your xml files in form of #String/somename so this id must have to be available in your R.java file. Thus to reflect changes in your R.java file you must have to compile code and may be possible clean project to reflect changes
Yes they do need compilation.
To save time set Build Automatically in your eclipse then whenever you save the code gets build automatically then and there. This will save a lot of time as all you need to press is Ctrl + S
yes do need to compile again for all changes..
For my personal purposes I'd like to parse comments in Android Manifest file. In these comments there can be tags with attributes and values that I want to extract. It is similar to tag in html files that is usually commented because some browsers does not support this tag. So I want to implement similar things in android manifest.
I know that in Android manifest file is parsed using SAXParser. Moreover, I think I should use LexicalHandler for this purposes but I've never faced before with this functionality and I want to know how to do this. Code snippets and any help will be highly appreciated!
I'm entirely sure that you cannot parse the raw XML Manifest, because like everything that is in the res folder (except res/raw), the manifest is compiled and stored in a binary format, so the comments are removed.
Maybe you can play with xmlns and capture the manifest parsing... But I doubt it, the Manifest is interpreted by the package manager, and I don't think that you can have access to it.
The solution (from your feedbacks):
The requested feature is impossible, because during the compilation all comments from AndroidManifest file are removed.
You can check this in the following way:
Create a simple app project (Hello World) and add comments in your AndroidManifest file.
Compile project and export an .apk file (signed or unsigned).
Using tools like apktool or similar extract your apk file.
Check the result in AndroidManifest.xml - there are no comments.
You should try to find other way.
I don't think it is possible as the AndroidManifest is not available as a classpath resource. The only way I can think of is to actually make a copy of the AndroidManifest.xml into your source files and have it built as a compiled object using an ant target
Then you just access it like a normal XML file using the XML APIs.
I hate to be that guy, but you should probably maintain your custom XML in /assets/ and not overload the manifest.xml file.
I have tried literally everything to figure out why no new layout files are being added to my R.java file in eclipse. Nothing is working.
I have:
Restarted Eclipse
Used Project>Clean
Deleted R.java (had to restore because it would not autoregenerate no matter what I did)
Ensured all methods are defined in SDK version
Rebuilt the project
Unchecked auto-build
Every combination of above options
Been tempted to throw my computer across the room
Does anyone have any suggestions?
Check you don't have any errors inside one of your xml files. That is, check not only for xml file name errors but also for errors in the xml code, for example an illegal attribute, a forgotten tag etc. Check this in all your xml files, not just layout files but also anim, xml drawables etc. These errors don't show up in the error log but will prevent the R.java from being generated.
When I experienced the same issue as you this was often the reason. The error highlight was only visible inside the file, not the error log.
Net, go through every xml file with a fine comb.
I faced this kind of problem many times. From my thoughts it is caused due to the problem of images in the drawable or case sensitive of layout file (everything should be small). Check your case sensitive of layout file.
I will give all possible solutions that i had done when something like this happened with me
Project-->clean
Check for library if there was any for that
RightClick-->Properties-->Android-->add
Restart Eclipse
Check in
the manifest for if you have many packages make sure u are using the
activity declared package.
I would check the imported R. The problem could be that you have
import android.R;
instead of
import com.myproject.R;
Project -> and check Build Automatically
Is there any error in your resource files? If there is any error in your resource files the R file will not be generated.
When first of u go on Project->Clean the your application then refreshing and auto genrated R.java file for your apps.
Not to be repetitive, but did you check the Android manifest file? The error there doesn't usually pop up.
Did you check for other locale letters (maybe whitespaces too?) in the filenames? Letters that look exactly like Latin.
I think I had similar problem with the names. You can try rewriting your files' names.
Project Explorer (Right click on your project) -> Build Project
This worked for me.